Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

BinCFI: Control Flow Integrity for COTS Binaries

This release has been superceded by PSI, a platform for static binary instrumentation. Please download that version instead of BinCFI.

Introduction

Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in the binary. In contrast, we present a technique for applying CFI to stripped binaries on x86/Linux. Ours is the first work to apply CFI to complex shared libraries such as glibc. Through experimental evaluation, we demonstrate that our CFI implementation is effective against control-flow hijack attacks, and eliminates the vast majority of ROP gadgets. To achieve this result, we have developed robust techniques for disassembly, static analysis, and transformation of large binaries. Our techniques have been tested on over 300MB of binaries (executables and shared libraries).

Status

This release has been superceded by PSI, a platform for static binary instrumentation. Please download that version instead of BinCFI.

Download

This release has been superceded by PSI, a platform for static binary instrumentation. Please download that version instead of BinCFI.

Acknowledgments

This work was supported in part by an NSF grant CNS-0831298, an AFOSR grant FA9550-09-1-0539, and an ONR grant N000140710928.

Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.